我正在尝试在线订购系统,并希望使用会话生成订单号,并通过会话ID保留订单号上的所有商品。
第一页生成会话ID和订单号。
<?php
error_reporting(E_ALL); ini_set('display_errors', 1);
session_start();
?>
<html>
<head>
<title>Online Ordering</title>
</head>
<style>
h3 {
text-align: center;
}
h5 {
text-align: center;
}
</style>
<body>
<?php
$sessionid = session_id();
$currentDate = date('Y-m-d');
echo "sessionNUM          = $sessionid\n";
echo "<br>";
//Connect to DB
require_once 'configordonline.php';
$conn = new mysqli($hn, $un, $pw, $db);
if ($conn->connect_error) die($conn->connect_error);
//Enter Session ID and set Order ID
//search for session info already exsiting
$result=$conn->query("SELECT * FROM HEADERS WHERE sessionid='$sessionid' AND date='$currentDate'");
echo mysql_error();
if(mysqli_num_rows($result) > 0){
echo "session info already exists";
}
else{
$sessionid = session_id();
$sql="INSERT INTO HEADERS VALUES (NULL, '$sessionid', '$currentDate', 'noneyet')";
if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
}
else {
echo "Error " . $sql . "<br>" . $conn->error;
}
}
$res=$conn->query("select ORDID from HEADERS where sessionid='$sessionid'");
list($ORDERNUM)= $res->fetch_row();
echo "<br>";
echo "<br>";
echo "ORDERNUM          = $ORDERNUM\n";
$_SESSION["OrderNum"] = $ORDERNUM;
echo "<br>";
echo "<br>";
echo "Session variables are set.";
?>
<br><br><br>
<h3>At which location would you like to pick up your order?</h3>
<form method = "POST">
<input type="hidden" name="pickedlocation" value="HP">
<button type="submit" formaction="redacted.php" style="margin:auto;display:block">HP</button>
</form>
<br>
<form method = "POST">
<input type="hidden" name="pickedlocation" value="BS">
<button type="submit" formaction="redacted.php" style=";margin:auto;display:block">BS</button>
</form>
</body>
</html>
第二页生成新的sessionID,因此不会获取订单号。
<?php
session_start();
?>
<?php
require_once 'configordonline.php';
$conn = new mysqli($hn, $un, $pw, $db);
if ($conn->connect_error) die($conn->connect_error);
echo "START Debugging Info:";
echo '<br>';
echo '<br>';
$sessionid = session_id();
$currentDate = date('Y-m-d');
echo "sessionNUM          = $sessionid\n";echo "<br>";
$res=$conn->query("select ORDID from HEADERS where sessionid='$sessionid'");
list($ORDERNUM)= $res->fetch_row();
echo "ORDERNUM= $ORDERNUM\n";
echo "<br>";
$ordernum= $ORDERNUM;
echo $ordernum;
echo '<br>';
$LOCATION = $_POST["pickedlocation"];
echo $LOCATION;
echo "<br>";
echo "<br>";
echo "END Debugging Info";
echo '<br>';
echo "_____________________________";
echo '<br>';
echo '<br>';
echo '<br>';echo '<br>';echo '<br>';echo '<br>';echo '<br>';
if ($LOCATION == 'HP'){
$sql = "UPDATE HEADERS
SET location = 'HYDEPARK'
WHERE ORDID = '$ordernum'";
if ($conn->query($sql) === TRUE) {
echo "Location updated successfully";
}
else {
echo "Error updating Location: " . $conn->error;
}
echo "<br><br>";
$res=$conn->query("select wait from Wait where location ='HydePark'");
list($wait)= $res->fetch_row();
echo "The estimated wait at Hyde Park is currently $wait minutes";
}
if ($LOCATION == 'BS'){
$sql = "UPDATE HEADERS
SET location = 'BARTONSPRINGS'
WHERE ORDID = '$ordernum'";
if ($conn->query($sql) === TRUE) {
echo "Location updated successfully";
}
else {
echo "Error updating Location: " . $conn->error;
}
echo "<br><br>";
$res=$conn->query("select wait from Wait where location ='BartonSprings'");
list($wait)= $res->fetch_row();
echo "The estimated wait at Barton Springs is currently $wait minutes";
}
?>
<html>
<form>
<button type="submit" formaction="redacted.php" style=";display:block">Continue</button>
</form>
</html>
答案 0 :(得分:1)
我认为依赖会话ID并不是最好的方法,更不用说它不太安全,因为你需要修复所有请求的会话ID并将其发送到客户端,这将使你容易受到{{3 }。 替代方案就像时间戳一样简单,并将其存储在会话变量中。你可以使用这个session hijack
来做到这一点